{"id":865,"date":"2026-04-16T11:36:49","date_gmt":"2026-04-16T11:36:49","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-artifact-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/"},"modified":"2026-04-16T11:36:49","modified_gmt":"2026-04-16T11:36:49","slug":"oracle-cloud-artifact-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-artifact-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/","title":{"rendered":"Oracle Cloud Artifact Registry Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Compute"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Compute<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Oracle Cloud Artifact Registry<\/strong> is Oracle Cloud Infrastructure (OCI)\u2019s managed service for storing and distributing software artifacts\u2014most commonly container images<\/strong> used by Compute workloads (VMs, Kubernetes, Functions, CI\/CD runners).<\/p>\n\n\n\n

Simple explanation:<\/strong> Artifact Registry is a secure, centralized \u201cwarehouse\u201d for the build outputs your applications need at runtime\u2014so your servers and clusters can reliably pull the right container image or package version whenever they deploy.<\/p>\n\n\n\n

Technical explanation:<\/strong> Artifact Registry provides regional, compartment-scoped repositories that support standards-based distribution protocols (for example, Docker Registry HTTP API v2 for container images). It integrates with OCI Identity and Access Management (IAM) for authorization, with OCI Audit for control-plane visibility, and with common OCI compute services such as Compute<\/strong> instances and Container Engine for Kubernetes (OKE)<\/strong> for image pulls.<\/p>\n\n\n\n

What problem it solves:<\/strong> In modern delivery pipelines, application releases produce artifacts (images, charts, packages) that must be stored, versioned, secured, and delivered quickly to runtime environments. Without a managed registry, teams end up with inconsistent builds, ad-hoc storage, manual access control, slow pulls, and higher operational burden. Artifact Registry addresses these issues with a managed, IAM-integrated registry built for OCI.<\/p>\n\n\n\n

\n

Naming note (important): OCI historically referred to its container registry as OCI Registry (OCIR)<\/strong> and still uses the ocir.io<\/code> domain in endpoints. Artifact Registry<\/strong> is the current service name in OCI Console and documentation. If you see OCIR in older guides, it typically refers to the same family of capabilities. Verify current naming and features in the official docs linked in Section 17.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Artifact Registry?<\/h2>\n\n\n\n

Official purpose:<\/strong> Artifact Registry is OCI\u2019s service for hosting and managing software artifacts\u2014especially container images<\/strong>\u2014so teams can push artifacts from build systems and pull them from runtime environments in a controlled, auditable way.<\/p>\n\n\n\n

Core capabilities (commonly used):<\/strong>\n– Create and manage repositories in OCI compartments\n– Push and pull container images<\/strong> using standard Docker\/OCI tooling\n– Control access with OCI IAM policies\n– Organize artifacts by repository and tags (and\/or digests)\n– Integrate artifacts into OCI deployment targets (Compute, OKE, DevOps)<\/p>\n\n\n\n

Major components:<\/strong>\n– Tenancy namespace<\/strong>: A unique identifier used as part of image names and endpoints (commonly required when tagging images for OCI).\n– Repositories<\/strong>: Logical collections of artifacts (for example, a repository per application or per team).\n– Artifacts<\/strong>: The stored items (commonly container image manifests\/layers).\n– Tags and digests<\/strong>: Human-friendly pointers (tags) and immutable identifiers (digests) used to reference images.<\/p>\n\n\n\n

Service type:<\/strong> Managed registry service (control plane via OCI APIs\/Console; data plane via registry endpoints).<\/p>\n\n\n\n

Scope and placement:<\/strong>\n– Regional service<\/strong>: Repositories exist in a specific OCI region. Your clients push\/pull from the region endpoint (for example, a *.ocir.io<\/code> host).\n– Tenancy + compartment-scoped management<\/strong>: Administrative control is governed by IAM policies in compartments within a tenancy.\n– Network access<\/strong>: Typically accessed over HTTPS via a public endpoint; private network patterns depend on OCI networking options and service capabilities in your region (verify in official docs).<\/p>\n\n\n\n

How it fits into the Oracle Cloud ecosystem (especially Compute):<\/strong>\n– Compute instances<\/strong> pull images to run containerized workloads (Docker\/Podman).\n– OKE<\/strong> pulls images to schedule containers on Kubernetes nodes.\n– OCI DevOps<\/strong> build pipelines push images; deploy pipelines reference them.\n– IAM<\/strong> defines who can create repos, push images, and pull images.\n– Audit<\/strong> records management actions (for example, repo creation\/deletion). Data-plane logging (image pull\/push events) varies\u2014verify in docs for your exact needs.<\/p>\n\n\n\n

\n\n\n\n

3. Why use Artifact Registry?<\/h2>\n\n\n\n

Business reasons<\/h3>\n\n\n\n
    \n
  • Faster, repeatable releases:<\/strong> Centralized artifacts reduce \u201cworks on my machine\u201d drift and improve deployment consistency.<\/li>\n
  • Reduced operational overhead:<\/strong> Managed service eliminates running your own registry infrastructure and patching it.<\/li>\n
  • Cleaner governance:<\/strong> Repository organization by compartment supports business unit\/team separation.<\/li>\n<\/ul>\n\n\n\n

    Technical reasons<\/h3>\n\n\n\n
      \n
    • Standards-based tooling:<\/strong> Works with Docker-compatible clients and common CI systems.<\/li>\n
    • Regional proximity:<\/strong> Hosting artifacts in the same region as runtime Compute reduces pull latency and improves rollout speed.<\/li>\n
    • Immutable references (via digests):<\/strong> Supports safer deployments by pinning exact image digests (where your tooling supports it).<\/li>\n<\/ul>\n\n\n\n

      Operational reasons<\/h3>\n\n\n\n
        \n
      • OCI-native IAM:<\/strong> Use groups, dynamic groups, and policies for consistent access control.<\/li>\n
      • Compartment model:<\/strong> Align repositories with environments (dev\/test\/prod) and teams.<\/li>\n
      • Automation-friendly:<\/strong> Manage repos and images via OCI APIs\/CLI (verify command set in your OCI CLI version).<\/li>\n<\/ul>\n\n\n\n

        Security \/ compliance reasons<\/h3>\n\n\n\n
          \n
        • Least privilege access:<\/strong> Separate who can push vs. who can pull.<\/li>\n
        • Auditability (control plane):<\/strong> Administrative actions can be tracked via OCI Audit.<\/li>\n
        • Encryption-at-rest and TLS-in-transit:<\/strong> OCI services generally encrypt data at rest and use TLS for transport; confirm specifics in Artifact Registry docs for your compliance baseline.<\/li>\n<\/ul>\n\n\n\n

          Scalability \/ performance reasons<\/h3>\n\n\n\n
            \n
          • Designed for many pulls:<\/strong> Registries are optimized for distributing images to fleets of nodes.<\/li>\n
          • Supports modern delivery patterns:<\/strong> Blue\/green or canary rollouts involve many concurrent pulls; a registry is the correct distribution primitive.<\/li>\n<\/ul>\n\n\n\n

            When teams should choose Artifact Registry<\/h3>\n\n\n\n
              \n
            • You deploy workloads to OCI Compute<\/strong> or OKE<\/strong> and need a reliable image source.<\/li>\n
            • You want OCI IAM governance rather than separate credentials per tool.<\/li>\n
            • You want to keep artifacts close to OCI regions to reduce latency and egress.<\/li>\n<\/ul>\n\n\n\n

              When teams should not choose it<\/h3>\n\n\n\n
                \n
              • You are not using OCI for runtime and already standardize on another registry with strong cross-cloud replication (unless you implement a multi-registry strategy).<\/li>\n
              • You require features not confirmed for OCI Artifact Registry in your region (for example, advanced replication policies, native pull-through caching, or specific signing workflows). In those cases, validate capabilities first or use an alternative such as JFrog Artifactory or Harbor.<\/li>\n<\/ul>\n\n\n\n
                \n\n\n\n

                4. Where is Artifact Registry used?<\/h2>\n\n\n\n

                Industries<\/h3>\n\n\n\n
                  \n
                • SaaS and software companies running microservices on Kubernetes<\/li>\n
                • Finance and regulated industries needing compartment-based controls and auditability<\/li>\n
                • Retail\/e-commerce with bursty scaling events requiring rapid image pulls<\/li>\n
                • Telecom and media workloads with frequent deployments and CI\/CD maturity<\/li>\n<\/ul>\n\n\n\n

                  Team types<\/h3>\n\n\n\n
                    \n
                  • Platform engineering teams building internal developer platforms on OCI<\/li>\n
                  • DevOps\/SRE teams standardizing delivery pipelines<\/li>\n
                  • Security teams implementing artifact provenance and access controls<\/li>\n
                  • Application teams packaging services into containers<\/li>\n<\/ul>\n\n\n\n

                    Workloads<\/h3>\n\n\n\n
                      \n
                    • Containerized web APIs and background workers<\/li>\n
                    • Batch processing jobs on Compute instances<\/li>\n
                    • Kubernetes workloads on OKE (Deployments, CronJobs, Jobs)<\/li>\n
                    • Serverless (Functions) image-based deployments (verify current OCI Functions packaging model in your region)<\/li>\n<\/ul>\n\n\n\n

                      Architectures<\/h3>\n\n\n\n
                        \n
                      • Single-region production with dev\/test compartments<\/li>\n
                      • Multi-region DR designs (artifact strategy depends on supported replication approaches\u2014verify)<\/li>\n
                      • Microservices with one repo per service<\/li>\n
                      • Monorepos with multi-image builds and version tagging<\/li>\n<\/ul>\n\n\n\n

                        Production vs dev\/test usage<\/h3>\n\n\n\n
                          \n
                        • Dev\/test:<\/strong> frequent pushes, many tags, rapid churn; cost and cleanup hygiene matter.<\/li>\n
                        • Production:<\/strong> fewer pushes, controlled promotion, strong access controls, digest pinning, and change management.<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                          Below are realistic scenarios where Oracle Cloud Artifact Registry fits well.<\/p>\n\n\n\n

                          1) Central container image store for Compute-based apps<\/h3>\n\n\n\n
                            \n
                          • Problem:<\/strong> VMs run containers, but images are scattered across laptops and ad-hoc servers.<\/li>\n
                          • Why it fits:<\/strong> Artifact Registry provides a managed, IAM-controlled registry endpoint.<\/li>\n
                          • Example:<\/strong> A team runs 20 OCI Compute instances that pull myapi:1.4.2<\/code> during rollout.<\/li>\n<\/ul>\n\n\n\n

                            2) Kubernetes (OKE) cluster image source<\/h3>\n\n\n\n
                              \n
                            • Problem:<\/strong> Kubernetes nodes must pull images quickly and securely.<\/li>\n
                            • Why it fits:<\/strong> OKE can pull images from OCI\u2019s registry endpoints using standard image references.<\/li>\n
                            • Example:<\/strong> A production OKE cluster pulls images from a \u201cprod\u201d compartment repository.<\/li>\n<\/ul>\n\n\n\n

                              3) CI pipeline push target for built images<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> CI builds container images but needs a trusted place to push them.<\/li>\n
                              • Why it fits:<\/strong> CI runners can authenticate and push to Artifact Registry; deploy stages pull the same artifact.<\/li>\n
                              • Example:<\/strong> OCI DevOps build pipeline pushes orders:2026.04.16.1<\/code> after tests pass.<\/li>\n<\/ul>\n\n\n\n

                                4) Environment separation by compartment (dev\/test\/prod)<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Developers accidentally deploy dev images to production.<\/li>\n
                                • Why it fits:<\/strong> Use separate compartments and IAM policies; prod repos are write-protected.<\/li>\n
                                • Example:<\/strong> Only a release automation group can push to the prod repo.<\/li>\n<\/ul>\n\n\n\n

                                  5) Third-party vendor image distribution inside OCI<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Vendor provides a container image, but you need to host it internally for controlled pulls.<\/li>\n
                                  • Why it fits:<\/strong> Pull vendor image once, retag, and push into your OCI-controlled repository.<\/li>\n
                                  • Example:<\/strong> Security scans and approvals happen before pushing vendor\/agent:3.2<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                    6) Rollbacks with immutable image digests<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Tag-based deployments can drift if tags are overwritten.<\/li>\n
                                    • Why it fits:<\/strong> Deploy by digest (image@sha256:...<\/code>) for deterministic rollback behavior.<\/li>\n
                                    • Example:<\/strong> A release references the digest used in the previous stable deploy.<\/li>\n<\/ul>\n\n\n\n

                                      7) Multi-team platform registry with standardized naming<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Teams use inconsistent naming, causing confusion and broken automation.<\/li>\n
                                      • Why it fits:<\/strong> Define conventions by repo structure and tagging strategy.<\/li>\n
                                      • Example:<\/strong> ocir.io\/<ns>\/team-app\/service:semver-build<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                        8) Controlled distribution to air-gapped-ish subnets (egress-restricted)<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Compute nodes in private subnets cannot reach public registries.<\/li>\n
                                        • Why it fits:<\/strong> Hosting artifacts in OCI reduces external dependencies; network egress design can be standardized (NAT\/service routing\u2014verify options).<\/li>\n
                                        • Example:<\/strong> Private OKE nodes pull from OCI endpoints through approved egress paths.<\/li>\n<\/ul>\n\n\n\n

                                          9) Blue\/green deployments that require fast, parallel pulls<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> A rollout doubles the number of nodes pulling images at once.<\/li>\n
                                          • Why it fits:<\/strong> Registry services are designed for concurrent distribution patterns.<\/li>\n
                                          • Example:<\/strong> 200 pods pull a new image in minutes during traffic shift.<\/li>\n<\/ul>\n\n\n\n

                                            10) \u201cGolden base image\u201d program<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Security team wants standardized base images patched regularly.<\/li>\n
                                            • Why it fits:<\/strong> Store base images in a controlled repo; app teams inherit from them.<\/li>\n
                                            • Example:<\/strong> base\/oraclelinux:9-secured-2026w15<\/code> is the approved baseline.<\/li>\n<\/ul>\n\n\n\n

                                              11) Disaster recovery preparedness for container artifacts<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> You can recreate infra, but you also need the exact images used in production.<\/li>\n
                                              • Why it fits:<\/strong> A registry is a source of truth for runtime artifacts (multi-region strategy depends on available replication\/export methods\u2014verify).<\/li>\n
                                              • Example:<\/strong> DR runbook includes pulling production-tagged images to rebuild services.<\/li>\n<\/ul>\n\n\n\n

                                                12) Migration from self-hosted registry to OCI-managed<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> Self-hosted registry maintenance and outages affect deployments.<\/li>\n
                                                • Why it fits:<\/strong> Move images to Artifact Registry and simplify operations.<\/li>\n
                                                • Example:<\/strong> Migrate from a VM-hosted Docker registry to OCI repositories, update image references.<\/li>\n<\/ul>\n\n\n\n
                                                  \n\n\n\n

                                                  6. Core Features<\/h2>\n\n\n\n
                                                  \n

                                                  The exact feature set can vary over time and by OCI region. Use this section as a practical baseline and verify advanced features (replication, retention, scanning, signing) in the official docs before relying on them.<\/p>\n<\/blockquote>\n\n\n\n

                                                  1) Managed repositories for container images<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Hosts OCI\/Docker container images and serves them to clients.<\/li>\n
                                                  • Why it matters:<\/strong> Containers are the standard packaging unit for modern Compute and Kubernetes workloads.<\/li>\n
                                                  • Practical benefit:<\/strong> No need to run\/patch your own registry servers.<\/li>\n
                                                  • Caveats:<\/strong> Repository types and supported artifact formats can evolve\u2014verify supported formats in your tenancy\/region.<\/li>\n<\/ul>\n\n\n\n

                                                    2) Standards-based push\/pull with Docker-compatible tooling<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Supports typical workflows: docker login<\/code>, docker push<\/code>, docker pull<\/code>.<\/li>\n
                                                    • Why it matters:<\/strong> Minimal changes to existing developer and CI practices.<\/li>\n
                                                    • Practical benefit:<\/strong> Easy onboarding for teams used to Docker Hub, ECR, GCR, ACR.<\/li>\n
                                                    • Caveats:<\/strong> Authentication uses OCI constructs (namespace, auth tokens) that differ from other clouds.<\/li>\n<\/ul>\n\n\n\n

                                                      3) Compartment-based organization<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Lets you place repositories into compartments for isolation and governance.<\/li>\n
                                                      • Why it matters:<\/strong> Compartments are OCI\u2019s core boundary for access control and resource organization.<\/li>\n
                                                      • Practical benefit:<\/strong> Clean dev\/test\/prod separation and chargeback.<\/li>\n
                                                      • Caveats:<\/strong> Cross-compartment access requires explicit IAM policies.<\/li>\n<\/ul>\n\n\n\n

                                                        4) IAM policy-based access control<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Controls who can manage repositories and who can read\/pull artifacts.<\/li>\n
                                                        • Why it matters:<\/strong> Artifact access is production access. Pull rights effectively grant code execution capability.<\/li>\n
                                                        • Practical benefit:<\/strong> Enforce least privilege and separation of duties.<\/li>\n
                                                        • Caveats:<\/strong> Precise policy verbs\/resource types should be confirmed in official docs for Artifact Registry.<\/li>\n<\/ul>\n\n\n\n

                                                          5) Tenancy namespace integration<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Uses your tenancy\u2019s unique namespace as part of artifact addressing.<\/li>\n
                                                          • Why it matters:<\/strong> Prevents naming collisions and scopes registry identities.<\/li>\n
                                                          • Practical benefit:<\/strong> Clear ownership and stable naming across OCI.<\/li>\n
                                                          • Caveats:<\/strong> Namespace is required in image names; mis-typing it is a common cause of auth failures.<\/li>\n<\/ul>\n\n\n\n

                                                            6) Tagging and versioning conventions<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Lets you label images with tags (:1.0.3<\/code>, :prod<\/code>, :gitsha-...<\/code>) and reference immutable digests.<\/li>\n
                                                            • Why it matters:<\/strong> Good tag strategy reduces rollback risk and deployment confusion.<\/li>\n
                                                            • Practical benefit:<\/strong> You can implement promotion flows (build tag \u2192 release tag \u2192 prod tag).<\/li>\n
                                                            • Caveats:<\/strong> Tags are mutable by nature; use digests for strict immutability.<\/li>\n<\/ul>\n\n\n\n

                                                              7) API\/Console\/CLI manageability<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Offers multiple management planes (Console UI and API). OCI CLI commonly supports Artifact Registry operations.<\/li>\n
                                                              • Why it matters:<\/strong> Enables automation and Infrastructure as Code patterns.<\/li>\n
                                                              • Practical benefit:<\/strong> Script repo creation, cleanup jobs, and CI bootstrap.<\/li>\n
                                                              • Caveats:<\/strong> Verify the exact OCI CLI command group for your installed CLI version (for example, run oci --help<\/code> and search for \u201cartifacts\u201d \/ \u201cregistry\u201d).<\/li>\n<\/ul>\n\n\n\n

                                                                8) Integration with OCI DevOps (common pattern)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> CI builds push images; CD deploys workloads that pull those images.<\/li>\n
                                                                • Why it matters:<\/strong> Registry becomes the bridge between build and runtime.<\/li>\n
                                                                • Practical benefit:<\/strong> Clear promotion model; fewer \u201cartifact lost\u201d issues.<\/li>\n
                                                                • Caveats:<\/strong> Exact integration steps depend on DevOps pipeline type and auth model\u2014verify in DevOps docs.<\/li>\n<\/ul>\n\n\n\n

                                                                  9) Auditing via OCI Audit (control plane)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Records management operations (create\/update\/delete repo, policy changes, etc.) in OCI Audit.<\/li>\n
                                                                  • Why it matters:<\/strong> Supports governance and incident investigations.<\/li>\n
                                                                  • Practical benefit:<\/strong> You can track \u201cwho changed repo settings and when.\u201d<\/li>\n
                                                                  • Caveats:<\/strong> Data-plane events (every pull\/push) may not be fully captured; validate logging requirements early.<\/li>\n<\/ul>\n\n\n\n
                                                                    \n\n\n\n

                                                                    7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                    High-level architecture<\/h3>\n\n\n\n

                                                                    Artifact Registry sits between:\n– Producers<\/strong> (developers, CI build agents) that push artifacts, and\n– Consumers<\/strong> (Compute instances, OKE nodes, deployment systems) that pull artifacts.<\/p>\n\n\n\n

                                                                    The registry control plane is managed through OCI (Console\/API), while the data plane uses the registry endpoint over HTTPS.<\/p>\n\n\n\n

                                                                    Request\/data\/control flow (typical)<\/h3>\n\n\n\n
                                                                      \n
                                                                    1. Admin<\/strong> creates a repository in a compartment (Console\/API).<\/li>\n
                                                                    2. IAM policy<\/strong> grants push\/pull permissions to a group or dynamic group.<\/li>\n
                                                                    3. CI or developer workstation<\/strong> authenticates and pushes an image to the regional endpoint.<\/li>\n
                                                                    4. Runtime<\/strong> (Compute\/OKE) authenticates and pulls the image by tag or digest.<\/li>\n
                                                                    5. Deployments<\/strong> run the image; rollouts reference tags\/digests.<\/li>\n<\/ol>\n\n\n\n

                                                                      Integrations with related OCI services<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Compute<\/strong>: pull\/run images on VMs<\/li>\n
                                                                      • OKE<\/strong>: image pulls for pods<\/li>\n
                                                                      • OCI DevOps<\/strong>: build and deploy pipelines referencing registry artifacts<\/li>\n
                                                                      • IAM<\/strong>: groups, dynamic groups, policies<\/li>\n
                                                                      • Vault<\/strong>: store secrets (for example, registry auth tokens) used by CI systems<\/li>\n
                                                                      • Audit<\/strong>: track administrative operations<\/li>\n<\/ul>\n\n\n\n

                                                                        Dependency services (conceptual)<\/h3>\n\n\n\n
                                                                          \n
                                                                        • OCI IAM<\/strong> for authorization<\/li>\n
                                                                        • OCI networking<\/strong> for connectivity to endpoints (VCN egress for private subnets)<\/li>\n
                                                                        • OCI compartments<\/strong> for governance boundaries<\/li>\n<\/ul>\n\n\n\n

                                                                          Security\/authentication model (common patterns)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Human users<\/strong> often authenticate to the registry with an auth token<\/strong> generated in OCI (rather than using the console password). Docker then stores the token locally.<\/li>\n
                                                                          • Automation<\/strong> (CI\/CD) also typically uses auth tokens stored in a secret manager (Vault or a CI secret store).<\/li>\n
                                                                          • Workloads<\/strong> (Compute\/OKE) generally use image pull secrets or node-level credentials depending on orchestration approach.<\/li>\n<\/ul>\n\n\n\n
                                                                            \n

                                                                            Verify the recommended authentication method for your exact OCI setup (native IAM users vs federated identities) in the official docs, because username formats can differ.<\/p>\n<\/blockquote>\n\n\n\n

                                                                            Networking model (practical)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Artifact Registry is accessed over HTTPS<\/strong> using a region-specific host (commonly REGIONKEY.ocir.io<\/code>).<\/li>\n
                                                                            • Compute resources in private subnets need an outbound path to reach the registry endpoint (commonly via NAT gateway). Whether a Service Gateway\/private routing is supported for Artifact Registry depends on OCI service endpoint design\u2014verify in official networking docs and Artifact Registry docs.<\/li>\n<\/ul>\n\n\n\n

                                                                              Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                \n
                                                                              • OCI Audit<\/strong>: monitor control-plane actions and policy changes.<\/li>\n
                                                                              • Tagging<\/strong>: use OCI resource tags on repositories for cost allocation.<\/li>\n
                                                                              • Quotas\/service limits<\/strong>: define\/monitor repository and storage usage; validate rate\/size limits for large images.<\/li>\n<\/ul>\n\n\n\n

                                                                                Simple architecture diagram<\/h4>\n\n\n\n
                                                                                flowchart LR\n  Dev[Developer \/ CI Runner] -->|docker push (HTTPS)| AR[OCI Artifact Registry<br\/>Regional Endpoint]\n  AR -->|docker pull (HTTPS)| VM[OCI Compute Instance]\n  VM --> App[Running Container Workload]\n  IAM[OCI IAM Policies] -. authorizes .- Dev\n  IAM -. authorizes .- VM\n<\/code><\/pre>\n\n\n\n
                                                                                Production-style architecture diagram<\/h4>\n\n\n\n
                                                                                flowchart TB\n  subgraph CICD[CI\/CD]\n    Git[Source Repo] --> Build[Build Pipeline<br\/>tests + docker build]\n    Build -->|push image| AR[OCI Artifact Registry<br\/>Prod Region]\n  end\n\n  subgraph OCI[Oracle Cloud (OCI)]\n    IAM[OCI IAM<br\/>Groups\/Dynamic Groups\/Policies]\n    Vault[OCI Vault<br\/>Secrets (auth token)]\n    Audit[OCI Audit]\n    VCN[VCN]\n    NAT[NAT Gateway \/ Egress Path]\n    OKE[OKE Cluster<br\/>Worker Nodes in Private Subnets]\n    Deploy[Deploy Pipeline<br\/>or GitOps Controller]\n  end\n\n  Vault --> Build\n  IAM -.authz.- Build\n  IAM -.authz.- Deploy\n  Audit -.logs.- AR\n\n  Deploy --> OKE\n  OKE -->|pull image via egress| NAT --> AR\n<\/code><\/pre>\n\n\n\n
                                                                                \n\n\n\n
                                                                                8. Prerequisites<\/h2>\n\n\n\n
                                                                                Account\/tenancy requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • An active Oracle Cloud<\/strong> tenancy with permissions to use Artifact Registry in at least one region.<\/li>\n
                                                                                • A compartment to hold your repository (or permission to create one).<\/li>\n<\/ul>\n\n\n\n
                                                                                  Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                  You need permissions to:\n– Create\/manage Artifact Registry repositories in a compartment\n– Read\/pull artifacts (for runtime validation)\n– Create auth tokens<\/strong> for a user (for Docker login)<\/p>\n\n\n\n
                                                                                  In many organizations, these are covered by an admin role. If you are not an admin, ask your OCI administrator to grant the minimum required permissions for Artifact Registry. Verify the exact IAM policy syntax<\/strong> for Artifact Registry in official docs, because policy verbs\/resource types must match OCI\u2019s authorization model.<\/p>\n\n\n\n
                                                                                  Billing requirements<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Artifact storage and data transfer may incur charges depending on your usage and Free Tier allowances (see Section 9).<\/li>\n<\/ul>\n\n\n\n
                                                                                    Tools needed<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Docker<\/strong> (or Podman with Docker-compatible workflow) on your local machine<\/li>\n
                                                                                    • Optional: OCI CLI<\/strong> for automation (verify your CLI supports Artifact Registry commands)<\/li>\n
                                                                                    • Optional: SSH client if you will validate from an OCI Compute instance<\/li>\n<\/ul>\n\n\n\n
                                                                                      Region availability<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Artifact Registry is region-based. Choose a region where your tenancy is subscribed and where you run Compute\/OKE.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Quotas\/limits<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Repository count limits, storage limits, and request limits can apply.<\/li>\n
                                                                                        • Check Service Limits<\/strong> in OCI Console and the Artifact Registry docs for current quotas.<\/li>\n<\/ul>\n\n\n\n
                                                                                          Prerequisite services (for the lab)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • OCI Compute<\/strong> (to validate pulling and running the container on a VM)<\/li>\n
                                                                                          • VCN<\/strong> networking to access the VM via SSH (public IP for simplest lab)<\/li>\n<\/ul>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                            Artifact Registry costs are typically driven by storage<\/strong> and network egress<\/strong>, plus any related costs from build and runtime environments.<\/p>\n\n\n\n
                                                                                            Pricing dimensions (model overview)<\/h3>\n\n\n\n
                                                                                            Common pricing factors include:\n– Stored data (GB-month):<\/strong> Container image layers and manifests stored in the registry.\n– Data transfer out (egress):<\/strong> Pulling images out of a region or out to the public internet can incur egress charges depending on OCI networking rules and destination.\n– Requests\/operations:<\/strong> Some registries price by API operations; OCI\u2019s exact model must be confirmed on the official pricing page for Artifact Registry\/Registry.<\/p>\n\n\n\n
                                                                                            Because OCI pricing can vary by region and may be updated, do not rely on third-party numbers<\/strong>. Always confirm with Oracle\u2019s official sources:\n– OCI pricing pages: https:\/\/www.oracle.com\/cloud\/price-list\/\n– OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html\n– OCI Pricing documentation (if provided per service in your region): verify in official docs.<\/p>\n\n\n\n
                                                                                            Free Tier (if applicable)<\/h3>\n\n\n\n
                                                                                            Oracle Cloud has an Always Free and Free Trial program. Whether Artifact Registry storage\/egress is included or discounted depends on current Free Tier terms. Verify Free Tier coverage<\/strong> for Artifact Registry and related services in your account.<\/p>\n\n\n\n
                                                                                            Primary cost drivers<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Image size<\/strong>: Large base images (language runtimes, ML stacks) amplify storage and pull costs.<\/li>\n
                                                                                            • Number of tags\/versions kept<\/strong>: Keeping every build forever increases storage steadily.<\/li>\n
                                                                                            • Pull frequency<\/strong>: Auto-scaling clusters pull images repeatedly unless nodes cache them.<\/li>\n
                                                                                            • Cross-region pulls<\/strong>: Pulling from a different region can add latency and potential inter-region data transfer costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Compute build minutes<\/strong>: CI builds running on Compute instances or DevOps build runners cost money.<\/li>\n
                                                                                              • OKE node egress<\/strong>: Private nodes pulling images may require NAT gateway usage; NAT itself has costs and egress charges may apply.<\/li>\n
                                                                                              • Backup\/DR strategy<\/strong>: If you export images for DR (for example, to Object Storage), that adds storage and transfer costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Pulling images within the same region<\/strong> where the workloads run is typically the most cost-efficient and performant pattern.<\/li>\n
                                                                                                • Pulling images to on-prem or another cloud can create internet egress charges.<\/li>\n
                                                                                                • If you run private subnets, egress architecture (NAT\/service routing) impacts cost.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  How to optimize cost (practical)<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Keep images small: multi-stage builds, minimal base images.<\/li>\n
                                                                                                  • Limit tag retention: remove old CI tags; keep only releases.<\/li>\n
                                                                                                  • Prefer same-region artifact placement as runtime.<\/li>\n
                                                                                                  • Avoid needless repulls: use node-level caching and stable tags\/digests; avoid :latest<\/code> in production.<\/li>\n
                                                                                                  • Promote images by retagging release candidates rather than rebuilding identical layers repeatedly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Example low-cost starter estimate (no fabricated prices)<\/h3>\n\n\n\n
                                                                                                    A realistic starter monthly footprint might look like:\n– 5 services \u00d7 2 images each \u00d7 300 MB per image average \u2248 3 GB stored\n– 10 pulls per day per service in dev\/test \u2248 moderate data transfer<\/p>\n\n\n\n
                                                                                                    Cost will be:\n– storage_GB_month \u00d7 storage_rate<\/code> + egress_GB \u00d7 egress_rate<\/code> (if applicable)<\/p>\n\n\n\n
                                                                                                    Use the OCI Cost Estimator to plug your region and expected GB-month and egress.<\/p>\n\n\n\n
                                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                                    In production:\n– 50\u2013200 nodes pulling images during deployments can create bursty data transfer.\n– Retaining 6\u201312 months of releases can build significant GB-month usage.\n– Multi-region strategies can multiply storage if you keep copies per region.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                    Objective<\/h3>\n\n\n\n
                                                                                                    Create an Artifact Registry<\/strong> repository in Oracle Cloud, push a Docker image from your laptop, then pull and run that image on an OCI Compute<\/strong> instance.<\/p>\n\n\n\n
                                                                                                    This lab is designed to be:\n– Beginner-friendly\n– Low-cost (uses small images and a single VM)\n– Realistic (mirrors common CI\/CD workflows)<\/p>\n\n\n\n
                                                                                                    Lab Overview<\/h3>\n\n\n\n
                                                                                                    You will:\n1. Identify your tenancy\u2019s namespace<\/strong> and registry endpoint.\n2. Create an Artifact Registry repository.\n3. Generate an auth token and log in to the registry using Docker.\n4. Build a small container image and push it to Artifact Registry.\n5. Provision a Compute VM, pull the image, and run the container.\n6. Validate and clean up.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 1: Choose region, compartment, and find your registry namespace<\/h3>\n\n\n\n
                                                                                                    Actions (OCI Console):<\/strong>\n1. Sign in to Oracle Cloud Console.\n2. Select the region<\/strong> you will use (top-right region selector).\n3. Go to Developer Services \u2192 Artifact Registry<\/strong> (service name may appear under Developer Services).\n4. Find the Namespace<\/strong> value (often shown in the Artifact Registry\/Registry settings area).<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– You have the tenancy namespace string (you will use it in the image name).\n– You know your region key (example format: iad<\/code>, fra<\/code>, lhr<\/code>), which is typically part of the registry endpoint.<\/p>\n\n\n\n
                                                                                                    Notes:<\/strong>\n– OCI registry endpoints commonly look like:\nREGIONKEY.ocir.io<\/code>\n  The image name commonly includes:\nREGIONKEY.ocir.io\/NAMESPACE\/REPOSITORY\/IMAGE:TAG<\/code><\/p>\n\n\n\n
                                                                                                    Because endpoint formats can change or differ by realm, verify the exact endpoint shown in the OCI Console<\/strong> for Artifact Registry.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 2: Create an Artifact Registry repository<\/h3>\n\n\n\n
                                                                                                    Actions (OCI Console):<\/strong>\n1. Go to Developer Services \u2192 Artifact Registry<\/strong>.\n2. Select your target compartment<\/strong> (left-side compartment selector).\n3. Click Create repository<\/strong>.\n4. Choose the repository format\/type appropriate for container images<\/strong>.\n5. Name the repository (example): hello-repo<\/code>\n6. Create it.<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– A repository named hello-repo<\/code> exists in your compartment.<\/p>\n\n\n\n
                                                                                                    Verification:<\/strong>\n– You can see the repository in the Artifact Registry repository list.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 3: Create an auth token for Docker login<\/h3>\n\n\n\n
                                                                                                    OCI commonly uses auth tokens<\/strong> for registry access from Docker\/CI.<\/p>\n\n\n\n
                                                                                                    Actions (OCI Console):<\/strong>\n1. Go to Identity & Security \u2192 Users<\/strong>.\n2. Select your user.\n3. Find Auth Tokens<\/strong> and click Generate Token<\/strong>.\n4. Give it a description (example: docker-login-lab<\/code>).\n5. Copy the token value immediately and store it securely (you won\u2019t be able to view it again).<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– You have an auth token string saved securely for the next steps.<\/p>\n\n\n\n
                                                                                                    Security tip:<\/strong> Treat the auth token like a password. Don\u2019t paste it into chat logs or commit it to Git.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 4: Log in to Artifact Registry from your local machine<\/h3>\n\n\n\n
                                                                                                    You will now use Docker to authenticate to the OCI registry endpoint.<\/p>\n\n\n\n
                                                                                                    Identify these values:<\/strong>\n– REGIONKEY<\/code>: for example iad<\/code> (use your actual region key)\n– NAMESPACE<\/code>: your tenancy namespace\n– USERNAME<\/code>: your OCI username.\n  For federated identities, the username format may differ (for example, it may include an identity provider prefix). Verify the required username format in the official Artifact Registry docs<\/strong> for your identity type.<\/p>\n\n\n\n
                                                                                                    Command:<\/strong><\/p>\n\n\n\n
                                                                                                    export REGIONKEY=\"your-region-key\"\nexport NAMESPACE=\"your-namespace\"\nexport USERNAME=\"your-oci-username\"\n\ndocker logout \"${REGIONKEY}.ocir.io\" || true\ndocker login \"${REGIONKEY}.ocir.io\" -u \"${NAMESPACE}\/${USERNAME}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                    When prompted for a password, paste the auth token<\/strong>.<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– Docker reports Login Succeeded<\/code>.<\/p>\n\n\n\n
                                                                                                    Verification:<\/strong><\/p>\n\n\n\n
                                                                                                    docker system info | grep -i -A2 \"Registry\"\n<\/code><\/pre>\n\n\n\n
                                                                                                    And\/or check ~\/.docker\/config.json<\/code> for an auth entry (do not share it).<\/p>\n\n\n\n
                                                                                                    Common error: unauthorized: authentication required<\/code><\/strong>\n– Re-check region endpoint (REGIONKEY.ocir.io<\/code>)\n– Re-check namespace and username format\n– Ensure you pasted the auth token (not your console password)\n– Confirm your user\/group has permission to push\/pull (IAM policy)<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 5: Build a small Docker image locally<\/h3>\n\n\n\n
                                                                                                    Create a new folder and add a tiny web server container.<\/p>\n\n\n\n
                                                                                                    Commands:<\/strong><\/p>\n\n\n\n
                                                                                                    mkdir -p artifact-registry-lab && cd artifact-registry-lab\ncat > app.py <<'EOF'\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200)\n        self.send_header(\"Content-type\", \"text\/plain; charset=utf-8\")\n        self.end_headers()\n        self.wfile.write(b\"Hello from OCI Artifact Registry on Oracle Cloud Compute!\\n\")\n\nHTTPServer((\"0.0.0.0\", 8080), Handler).serve_forever()\nEOF\n\ncat > Dockerfile <<'EOF'\nFROM python:3.12-slim\nWORKDIR \/app\nCOPY app.py \/app\/app.py\nEXPOSE 8080\nCMD [\"python\", \"\/app\/app.py\"]\nEOF\n\ndocker build -t hello-artifact:1.0 .\n<\/code><\/pre>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– Docker successfully builds the image hello-artifact:1.0<\/code>.<\/p>\n\n\n\n
                                                                                                    Verification:<\/strong><\/p>\n\n\n\n
                                                                                                    docker images | grep hello-artifact\ndocker run --rm -p 8080:8080 hello-artifact:1.0\n<\/code><\/pre>\n\n\n\n
                                                                                                    In a second terminal:<\/p>\n\n\n\n
                                                                                                    curl -s http:\/\/localhost:8080\n<\/code><\/pre>\n\n\n\n
                                                                                                    Stop the container with Ctrl+C<\/code>.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 6: Tag and push the image to Artifact Registry<\/h3>\n\n\n\n
                                                                                                    Construct your full image name. A common pattern is:<\/p>\n\n\n\n
                                                                                                    REGIONKEY.ocir.io\/NAMESPACE\/REPO\/IMAGE:TAG<\/code><\/p>\n\n\n\n
                                                                                                    Example (yours will differ):\n– iad.ocir.io\/mytenancyns\/hello-repo\/hello-artifact:1.0<\/code><\/p>\n\n\n\n
                                                                                                    Commands:<\/strong><\/p>\n\n\n\n
                                                                                                    export REPO=\"hello-repo\"\nexport IMAGE=\"hello-artifact\"\nexport TAG=\"1.0\"\n\nexport FULL_IMAGE=\"${REGIONKEY}.ocir.io\/${NAMESPACE}\/${REPO}\/${IMAGE}:${TAG}\"\n\ndocker tag hello-artifact:1.0 \"${FULL_IMAGE}\"\ndocker push \"${FULL_IMAGE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– Docker outputs layer upload progress and finishes with a digest line.<\/p>\n\n\n\n
                                                                                                    Verification (OCI Console):<\/strong>\n– Go to Artifact Registry \u2192 Repositories \u2192 hello-repo<\/strong>\n– Confirm the image\/tag appears.<\/p>\n\n\n\n
                                                                                                    Common error: denied: requested access to the resource is denied<\/code><\/strong>\n– Repository path mismatch (wrong repo name in the image reference)\n– IAM policy does not allow pushing\n– Wrong namespace\/username\/token<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 7: Create a small OCI Compute instance for validation<\/h3>\n\n\n\n
                                                                                                    For a minimal-cost validation:\n– Use an Always Free\u2013eligible shape if available in your region (availability varies\u2014verify in console).\n– Use Oracle Linux (common default).<\/p>\n\n\n\n
                                                                                                    Actions (OCI Console):<\/strong>\n1. Go to Compute \u2192 Instances \u2192 Create instance<\/strong>\n2. Choose:\n   – Name: artifact-registry-vm<\/code>\n   – Image: Oracle Linux (current supported version)\n   – Shape: small shape (Always Free if available)\n3. Networking:\n   – Create\/choose a VCN and subnet\n   – Assign a public IPv4 address (simplest for a lab)\n4. Add your SSH public key\n5. Create<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– Instance is running and has a public IP.<\/p>\n\n\n\n
                                                                                                    Verification:<\/strong>\n– SSH to the instance:<\/p>\n\n\n\n
                                                                                                    ssh -i \/path\/to\/private_key opc@PUBLIC_IP\n<\/code><\/pre>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 8: Install Docker (or Podman) on the VM<\/h3>\n\n\n\n
                                                                                                    Oracle Linux commonly supports Podman by default; Docker may require extra steps. Choose one approach that is supported for your OS version.<\/p>\n\n\n\n
                                                                                                    Option A (Podman):<\/strong> (often easiest on modern Oracle Linux)<\/p>\n\n\n\n
                                                                                                    sudo dnf -y install podman\npodman --version\n<\/code><\/pre>\n\n\n\n
                                                                                                    Option B (Docker):<\/strong>\nFollow the current Oracle Linux + Docker installation instructions for your OS version. Because package availability changes, verify in official Oracle Linux docs<\/strong>.<\/p>\n\n\n\n
                                                                                                    For the remainder of the lab, we\u2019ll show Docker commands. If you use Podman, many commands are the same (podman login<\/code>, podman pull<\/code>, podman run<\/code>).<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 9: Log in from the VM and pull the image<\/h3>\n\n\n\n
                                                                                                    On the VM, authenticate to the registry.<\/p>\n\n\n\n
                                                                                                    Command (Docker):<\/strong><\/p>\n\n\n\n
                                                                                                    export REGIONKEY=\"your-region-key\"\nexport NAMESPACE=\"your-namespace\"\nexport USERNAME=\"your-oci-username\"\nexport FULL_IMAGE=\"${REGIONKEY}.ocir.io\/${NAMESPACE}\/hello-repo\/hello-artifact:1.0\"\n\ndocker login \"${REGIONKEY}.ocir.io\" -u \"${NAMESPACE}\/${USERNAME}\"\ndocker pull \"${FULL_IMAGE}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                    Paste the same auth token<\/strong> as the password.<\/p>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– The image pulls successfully.<\/p>\n\n\n\n
                                                                                                    Verification:<\/strong><\/p>\n\n\n\n
                                                                                                    docker images | grep hello-artifact\n<\/code><\/pre>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Step 10: Run the container and validate it<\/h3>\n\n\n\n
                                                                                                    Run the container on port 8080 and confirm it responds.<\/p>\n\n\n\n
                                                                                                    Commands (on the VM):<\/strong><\/p>\n\n\n\n
                                                                                                    docker run -d --name hello-oci -p 8080:8080 \"${FULL_IMAGE}\"\ndocker ps | grep hello-oci\ncurl -s http:\/\/localhost:8080\n<\/code><\/pre>\n\n\n\n
                                                                                                    Expected outcome:<\/strong>\n– curl<\/code> prints:\nHello from OCI Artifact Registry on Oracle Cloud Compute!<\/code><\/p>\n\n\n\n
                                                                                                    To test from your laptop, open the instance\u2019s security list \/ NSG<\/strong> to allow inbound TCP 8080 from your IP, then:<\/p>\n\n\n\n
                                                                                                    curl -s http:\/\/PUBLIC_IP:8080\n<\/code><\/pre>\n\n\n\n
                                                                                                    Verification:<\/strong><\/p>\n\n\n\n
                                                                                                    docker logs hello-oci --tail 20\n<\/code><\/pre>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Validation<\/h3>\n\n\n\n
                                                                                                    You have successfully validated:\n– Repository creation in Oracle Cloud Artifact Registry\n– Docker authentication using OCI auth token\n– Image push from local workstation\n– Image pull and run on OCI Compute<\/p>\n\n\n\n
                                                                                                    Checklist:\n– [ ] Image tag visible in the OCI Console repository\n– [ ] docker push<\/code> completes without permission errors\n– [ ] VM can docker pull<\/code> the same image\n– [ ] Container responds on http:\/\/localhost:8080<\/code> (and optionally via public IP)<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Troubleshooting<\/h3>\n\n\n\n
                                                                                                    1) Docker login fails<\/strong>\n– Confirm endpoint: REGIONKEY.ocir.io<\/code>\n– Confirm username format: NAMESPACE\/USERNAME<\/code> (federated users may differ; verify)\n– Use auth token<\/strong> (not console password)\n– Ensure IAM policies allow access<\/p>\n\n\n\n
                                                                                                    2) Push denied<\/strong>\n– Ensure repository exists and name matches exactly\n– Ensure your user\/group can push\/manage artifacts in that compartment\n– Ensure you are pushing to the correct region endpoint<\/p>\n\n\n\n
                                                                                                    3) VM cannot pull (timeout)<\/strong>\n– If VM is in private subnet, ensure it has egress (NAT gateway + route rules)\n– Check DNS resolution on VM\n– Verify security rules allow outbound HTTPS<\/p>\n\n\n\n
                                                                                                    4) Container runs but not reachable from laptop<\/strong>\n– Open inbound TCP 8080 in NSG\/security list for your source IP\n– Confirm firewall on the VM (Oracle Linux firewall rules)\n– Confirm docker run -p 8080:8080<\/code> published the port<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    Cleanup<\/h3>\n\n\n\n
                                                                                                    To avoid ongoing costs:\n1. Stop and remove container on VM<\/strong><\/p>\n\n\n\n
                                                                                                    docker rm -f hello-oci || true\n<\/code><\/pre>\n\n\n\n
                                                                                                      \n
                                                                                                    1. Optionally remove the image<\/strong><\/li>\n<\/ol>\n\n\n\n
                                                                                                      docker rmi \"${FULL_IMAGE}\" || true\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n
                                                                                                      1. \n
                                                                                                        Terminate the Compute instance<\/strong>\n– OCI Console \u2192 Compute \u2192 Instances \u2192 artifact-registry-vm<\/code> \u2192 Terminate<\/strong><\/p>\n<\/li>\n
                                                                                                      2. \n
                                                                                                        Delete the repository\/images<\/strong>\n– Artifact Registry \u2192 repository \u2192 delete images\/tags as needed, then delete repository<\/p>\n<\/li>\n
                                                                                                      3. \n
                                                                                                        Revoke auth token<\/strong>\n– Identity & Security \u2192 Users \u2192 your user \u2192 Auth Tokens \u2192 delete the token<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        11. Best Practices<\/h2>\n\n\n\n
                                                                                                        Architecture best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Keep artifacts in the same region as runtime<\/strong> to reduce latency and egress.<\/li>\n
                                                                                                        • Use separate compartments<\/strong> for dev\/test\/prod repositories to reduce blast radius.<\/li>\n
                                                                                                        • Reference production deployments by digest<\/strong> where possible for immutability.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Separate push and pull permissions<\/strong>:<\/li>\n
                                                                                                          • CI\/build systems: push (write)<\/li>\n
                                                                                                          • Runtime (OKE\/Compute): pull (read)<\/li>\n
                                                                                                          • Use least privilege<\/strong> policies per compartment.<\/li>\n
                                                                                                          • Avoid sharing human auth tokens<\/strong>; use dedicated CI users or automation identities where possible.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Cost best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Implement retention hygiene<\/strong>: delete old CI tags and unused images.<\/li>\n
                                                                                                            • Optimize image size<\/strong>: slim bases, multi-stage builds, reduce layers.<\/li>\n
                                                                                                            • Avoid cross-region pulls<\/strong> unless required.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Performance best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Use stable base layers<\/strong> to maximize layer caching on nodes.<\/li>\n
                                                                                                              • Avoid latest<\/code><\/strong> for anything beyond local dev.<\/li>\n
                                                                                                              • Batch rollouts<\/strong> to prevent unnecessary repeated pulls in short windows (depends on your orchestrator).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Treat the registry as production infrastructure<\/strong>:<\/li>\n
                                                                                                                • Define ownership<\/li>\n
                                                                                                                • Document restore\/migration approach (export images if needed\u2014verify recommended method)<\/li>\n
                                                                                                                • Plan for DR<\/strong>: decide whether you rebuild images from source or maintain artifact copies.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Tag repositories<\/strong> with cost center, environment, owner.<\/li>\n
                                                                                                                  • Monitor storage growth<\/strong> and enforce cleanup policies via automation.<\/li>\n
                                                                                                                  • Use Audit logs<\/strong> for governance and incident response.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Repository naming:<\/li>\n
                                                                                                                    • team-app-service<\/code> or org\/team\/service<\/code><\/li>\n
                                                                                                                    • Image tags:<\/li>\n
                                                                                                                    • semver<\/code> for releases (e.g., 1.8.0<\/code>)<\/li>\n
                                                                                                                    • gitsha-<shortsha><\/code> for traceability<\/li>\n
                                                                                                                    • build-<buildnumber><\/code> for CI<\/li>\n
                                                                                                                    • OCI tags on repos:<\/li>\n
                                                                                                                    • Environment=prod<\/code><\/li>\n
                                                                                                                    • Owner=platform-team<\/code><\/li>\n
                                                                                                                    • CostCenter=...<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • OCI IAM controls management and access to Artifact Registry resources through policies.<\/li>\n
                                                                                                                      • Docker clients commonly authenticate using auth tokens<\/strong> associated with users.<\/li>\n
                                                                                                                      • In Kubernetes, use image pull secrets and scope them carefully.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Key security principle:<\/strong> If an identity can push<\/strong> to a repo used by production, it can effectively introduce code that runs in production. Treat push permission as highly sensitive.<\/p>\n\n\n\n
                                                                                                                        Encryption<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • OCI services typically encrypt data at rest and use TLS for in-transit encryption.<\/li>\n
                                                                                                                        • Confirm Artifact Registry\u2019s encryption posture and any customer-managed key options (if needed) in official docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Network exposure<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Registry endpoints are accessed via HTTPS.<\/li>\n
                                                                                                                          • Control egress from private subnets (NAT\/service routing as applicable).<\/li>\n
                                                                                                                          • Restrict inbound access to workloads; don\u2019t expose test containers to the internet unnecessarily.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Secrets handling<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Store auth tokens in OCI Vault<\/strong> or your CI secret store.<\/li>\n
                                                                                                                            • Rotate tokens regularly and immediately on suspected compromise.<\/li>\n
                                                                                                                            • Avoid embedding tokens into VM images or container images.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Enable and retain OCI Audit<\/strong> logs per your governance policy.<\/li>\n
                                                                                                                              • Track:<\/li>\n
                                                                                                                              • Repo creation\/deletion<\/li>\n
                                                                                                                              • IAM policy changes<\/li>\n
                                                                                                                              • Token creation\/deletion processes (token events visibility may vary\u2014verify)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • If you have compliance needs (SOC 2, ISO, PCI, HIPAA), confirm:<\/li>\n
                                                                                                                                • Data residency (region-specific)<\/li>\n
                                                                                                                                • Access logging detail<\/li>\n
                                                                                                                                • Retention controls<\/li>\n
                                                                                                                                • Encryption key management options<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Using one shared \u201cregistry password\u201d across teams<\/li>\n
                                                                                                                                  • Allowing broad push access to prod repos<\/li>\n
                                                                                                                                  • Deploying with mutable tags only (risk of tag overwrite)<\/li>\n
                                                                                                                                  • Leaving old auth tokens active indefinitely<\/li>\n
                                                                                                                                  • Pulling images directly from public registries in production without vetting<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Use dev\/test repos for experimentation; promote to prod repos via controlled pipeline.<\/li>\n
                                                                                                                                    • Use digest pinning for production rollouts.<\/li>\n
                                                                                                                                    • Restrict who can create\/delete repos and who can push to prod.<\/li>\n
                                                                                                                                    • Consider integrating image scanning and provenance workflows if available in your environment (verify OCI services and integrations).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                      Validate current limits and supported features in official docs; registries evolve quickly.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                      Known limitations \/ common gotchas<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Region specificity:<\/strong> Repositories are tied to a region. Pulling across regions can add latency and may incur transfer costs.<\/li>\n
                                                                                                                                      • Namespace confusion:<\/strong> Misunderstanding the tenancy namespace is a top cause of denied<\/code> and unauthorized<\/code> errors.<\/li>\n
                                                                                                                                      • Federated username format:<\/strong> For SSO\/federated identities, Docker username format can differ. Verify in official docs.<\/li>\n
                                                                                                                                      • Mutable tags:<\/strong> Tags can be overwritten; use digests for immutable references.<\/li>\n
                                                                                                                                      • Private subnet egress:<\/strong> OKE\/Compute in private subnets must have outbound connectivity to the registry endpoint. If you assume Service Gateway works for all services, you may be surprised\u2014verify.<\/li>\n
                                                                                                                                      • Large image performance:<\/strong> Very large images slow deployments and inflate costs.<\/li>\n
                                                                                                                                      • Audit coverage:<\/strong> Control-plane operations are typically audited; full data-plane pull\/push logging may not meet strict forensics requirements without additional tooling (verify).<\/li>\n
                                                                                                                                      • Cleanup complexity:<\/strong> Deleting tags\/images may have rules; ensure you understand whether deleting a tag deletes the underlying manifest\/layers or just the reference (verify behavior in docs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Quotas<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Repository count, artifact count, and storage quotas can apply.<\/li>\n
                                                                                                                                        • Check OCI Console Limits, Quotas and Usage<\/strong> and Artifact Registry limits documentation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Image naming changes (endpoint + namespace paths) require updates to deployment manifests.<\/li>\n
                                                                                                                                          • Re-tagging strategies and CI scripts must be updated.<\/li>\n
                                                                                                                                          • Access control differences vs. other registries require careful review.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            \n\n\n\n
                                                                                                                                            14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                            Nearest services in Oracle Cloud<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • OCI Object Storage<\/strong>: Can store files, but is not a Docker registry; lacks native container push\/pull semantics.<\/li>\n
                                                                                                                                            • OCI DevOps Artifacts\/Deploy artifacts<\/strong>: DevOps pipelines may reference artifacts stored in different backends; Artifact Registry is purpose-built for container distribution.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Nearest services in other clouds<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • AWS Elastic Container Registry (ECR)<\/strong><\/li>\n
                                                                                                                                              • Google Artifact Registry<\/strong><\/li>\n
                                                                                                                                              • Azure Container Registry (ACR)<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Open-source \/ self-managed alternatives<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Harbor<\/strong> (popular enterprise registry)<\/li>\n
                                                                                                                                                • JFrog Artifactory<\/strong><\/li>\n
                                                                                                                                                • Sonatype Nexus Repository<\/strong><\/li>\n
                                                                                                                                                • Docker Registry<\/strong> (open-source registry server)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Comparison table<\/h4>\n\n\n\n
                                                                                                                                                  \n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                  Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                  OCI Artifact Registry<\/strong><\/td>\nOCI-native container delivery<\/td>\nIAM + compartments, OCI integration, regional proximity to OCI Compute\/OKE<\/td>\nFeature parity vs specialized registries depends on region\/roadmap; cross-cloud patterns may require extra work<\/td>\nYour runtime is on Oracle Cloud and you want OCI-native governance<\/td>\n<\/tr>\n
                                                                                                                                                  OCI Object Storage<\/td>\nGeneric file storage<\/td>\nDurable object storage, lifecycle policies<\/td>\nNot a container registry; no native docker push\/pull<\/td>\nStore non-registry artifacts or backups\/exports<\/td>\n<\/tr>\n
                                                                                                                                                  AWS ECR<\/td>\nAWS workloads<\/td>\nDeep AWS integration, mature ecosystem<\/td>\nCross-cloud pulls can incur complexity\/cost<\/td>\nYour runtime is on AWS<\/td>\n<\/tr>\n
                                                                                                                                                  Google Artifact Registry<\/td>\nGCP workloads<\/td>\nStrong integration with GKE\/Cloud Build<\/td>\nNot OCI-native<\/td>\nYour runtime is on GCP<\/td>\n<\/tr>\n
                                                                                                                                                  Azure ACR<\/td>\nAzure workloads<\/td>\nTight AKS\/Azure DevOps integration<\/td>\nNot OCI-native<\/td>\nYour runtime is on Azure<\/td>\n<\/tr>\n
                                                                                                                                                  Harbor (self-managed)<\/td>\nEnterprise control, on-prem\/hybrid<\/td>\nRich policy controls, can run anywhere<\/td>\nYou operate and secure it; upgrades, storage, HA<\/td>\nYou need on-prem\/hybrid registry or custom controls<\/td>\n<\/tr>\n
                                                                                                                                                  JFrog Artifactory<\/td>\nLarge enterprises, multi-format<\/td>\nBroad artifact formats, enterprise workflows<\/td>\nCost and operational complexity<\/td>\nYou need one repo manager for many artifact types across clouds<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                  Enterprise example: regulated financial services on OCI + OKE<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Problem:<\/strong> The organization runs microservices on OKE with strict separation between dev\/test\/prod and strong audit requirements. They want to prevent developers from pushing directly to production images.<\/li>\n
                                                                                                                                                  • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                  • Artifact Registry repositories separated by compartment: dev<\/code>, test<\/code>, prod<\/code><\/li>\n
                                                                                                                                                  • OCI DevOps build pipeline pushes to dev<\/code> repository<\/li>\n
                                                                                                                                                  • Promotion pipeline retags or copies approved images into prod<\/code> repository (exact mechanism depends on supported operations\u2014verify)<\/li>\n
                                                                                                                                                  • OKE production nodes only have pull access to prod<\/code><\/li>\n
                                                                                                                                                  • OCI Audit enabled for control-plane operations<\/li>\n
                                                                                                                                                  • Auth tokens stored in OCI Vault for CI use<\/li>\n
                                                                                                                                                  • Why Artifact Registry was chosen:<\/strong> OCI-native IAM and compartments align with enterprise governance and reduce the overhead of maintaining a self-hosted registry.<\/li>\n
                                                                                                                                                  • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                  • Clear separation of duties (developers build; release engineering promotes)<\/li>\n
                                                                                                                                                  • Faster and more reliable deployments due to regional proximity<\/li>\n
                                                                                                                                                  • Improved traceability via standardized tags and controlled promotion<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Startup\/small-team example: single VM + lightweight containers<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Problem:<\/strong> A small team deploys two containerized services to OCI Compute VMs. They want a simple, private place to store images without running their own registry server.<\/li>\n
                                                                                                                                                    • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                    • One Artifact Registry repository per service<\/li>\n
                                                                                                                                                    • GitHub Actions (or OCI DevOps) builds and pushes images on each release<\/li>\n
                                                                                                                                                    • VM pulls images during deployment using a scoped auth token<\/li>\n
                                                                                                                                                    • Why Artifact Registry was chosen:<\/strong> Minimal operational burden and straightforward Docker compatibility.<\/li>\n
                                                                                                                                                    • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                    • Repeatable deployments and quick rollback to prior tags<\/li>\n
                                                                                                                                                    • Reduced risk from pulling directly from public registries<\/li>\n
                                                                                                                                                    • Clean path to migrate to OKE later without changing the artifact source<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                      1) Is Artifact Registry the same as OCIR (OCI Registry)?<\/strong>\nArtifact Registry is the current service name in OCI for registry capabilities, and many endpoints\/workflows still reference ocir.io<\/code>. Older documentation may use \u201cOCIR.\u201d Confirm current terminology and capabilities in the official docs.<\/p>\n\n\n\n
                                                                                                                                                      2) Is Artifact Registry global or regional?<\/strong>\nArtifact registries are typically regional<\/strong> in OCI. Create repositories in the region where you deploy Compute\/OKE for best performance. Verify any cross-region options in official docs.<\/p>\n\n\n\n
                                                                                                                                                      3) What can I store in Artifact Registry?<\/strong>\nMost commonly container images<\/strong>. Other artifact formats (for example Helm charts or generic artifacts) may be supported\u2014verify supported formats in the official documentation for your tenancy\/region.<\/p>\n\n\n\n
                                                                                                                                                      4) How do I authenticate Docker to OCI Artifact Registry?<\/strong>\nCommonly via docker login REGIONKEY.ocir.io<\/code> using NAMESPACE\/USERNAME<\/code> and an auth token<\/strong> as the password. Username formats can differ for federated identities\u2014verify.<\/p>\n\n\n\n
                                                                                                                                                      5) Should I use my OCI console password for Docker login?<\/strong>\nTypically no. OCI commonly recommends auth tokens<\/strong> for registry access. Follow the official Artifact Registry authentication guide.<\/p>\n\n\n\n
                                                                                                                                                      6) How should I name repositories?<\/strong>\nUse a consistent convention: per team, per app, or per environment. Example: team-service<\/code>, and enforce it with governance.<\/p>\n\n\n\n
                                                                                                                                                      7) Should I deploy using image tags or digests?<\/strong>\nUse digests<\/strong> for strict immutability in production where possible. Use tags for human readability and promotion flows.<\/p>\n\n\n\n
                                                                                                                                                      8) Can OKE pull images from Artifact Registry automatically?<\/strong>\nOKE can pull images from OCI registry endpoints, but authentication method depends on cluster\/node setup and repository visibility. Configure imagePullSecrets where required.<\/p>\n\n\n\n
                                                                                                                                                      9) Does Artifact Registry support vulnerability scanning?<\/strong>\nOCI has security services that can scan container images in registries, but the exact integration and coverage should be confirmed in current official docs for your region and service versions.<\/p>\n\n\n\n
                                                                                                                                                      10) How do I keep costs down?<\/strong>\nReduce image size, delete old tags, avoid storing every CI build forever, and keep pulls in-region.<\/p>\n\n\n\n
                                                                                                                                                      11) Why do I get denied: requested access<\/code> when pushing?<\/strong>\nUsually wrong repo path, wrong namespace, or missing IAM permission. Confirm the repo exists in the selected compartment and your policy allows pushing.<\/p>\n\n\n\n
                                                                                                                                                      12) Why do pulls work on my laptop but not from a private VM?<\/strong>\nPrivate subnets need outbound HTTPS access. Ensure NAT\/equivalent egress routing and DNS are correct.<\/p>\n\n\n\n
                                                                                                                                                      13) Can I use Artifact Registry for non-container artifacts?<\/strong>\nPossibly, depending on what artifact formats OCI supports in Artifact Registry at the time. Verify official docs for supported repository formats.<\/p>\n\n\n\n
                                                                                                                                                      14) How do I implement dev\/test\/prod separation?<\/strong>\nUse separate compartments and separate repositories, then lock down prod push rights to a release automation identity.<\/p>\n\n\n\n
                                                                                                                                                      15) What\u2019s the best way to rotate registry credentials?<\/strong>\nUse dedicated tokens for CI and for runtime, store them in Vault\/secret manager, rotate on a schedule, and revoke immediately on suspected compromise.<\/p>\n\n\n\n
                                                                                                                                                      16) What happens when I delete a tag?<\/strong>\nBehavior differs between registry implementations. It may remove only the tag reference or mark artifacts for garbage collection. Verify OCI\u2019s deletion semantics before building cleanup automation.<\/p>\n\n\n\n
                                                                                                                                                      17) Do I need OCI CLI to use Artifact Registry?<\/strong>\nNo. You can do everything with Console + Docker. CLI\/API become useful for automation and repeatability.<\/p>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      17. Top Online Resources to Learn Artifact Registry<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                      Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      Official documentation<\/td>\nOCI Artifact Registry \/ Registry docs: https:\/\/docs.oracle.com\/en-us\/iaas\/<\/td>\nAuthoritative reference for repositories, auth, endpoints, limits<\/td>\n<\/tr>\n
                                                                                                                                                      Official service docs (common path used historically)<\/td>\nOCI Registry documentation (may include Artifact Registry content): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Registry\/home.htm<\/td>\nMany workflows still reference OCIR endpoints and Docker usage<\/td>\n<\/tr>\n
                                                                                                                                                      Official IAM docs<\/td>\nOCI IAM Overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm<\/td>\nUnderstand policies, groups, dynamic groups, auth concepts<\/td>\n<\/tr>\n
                                                                                                                                                      Official pricing<\/td>\nOracle Cloud Price List: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\nConfirm current pricing dimensions for storage and egress<\/td>\n<\/tr>\n
                                                                                                                                                      Official cost tool<\/td>\nOCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\nBuild region-specific cost estimates without guessing numbers<\/td>\n<\/tr>\n
                                                                                                                                                      Official Compute docs<\/td>\nOCI Compute docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Compute\/home.htm<\/td>\nVM setup for running\/pulling container images<\/td>\n<\/tr>\n
                                                                                                                                                      Official OKE docs<\/td>\nOCI Container Engine for Kubernetes: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/ContEng\/home.htm<\/td>\nKubernetes image pull patterns and cluster architecture<\/td>\n<\/tr>\n
                                                                                                                                                      Official DevOps docs<\/td>\nOCI DevOps: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/devops\/using\/home.htm<\/td>\nCI\/CD integration patterns with registries<\/td>\n<\/tr>\n
                                                                                                                                                      Official security\/audit docs<\/td>\nOCI Audit: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Audit\/home.htm<\/td>\nGovernance and visibility into registry management operations<\/td>\n<\/tr>\n
                                                                                                                                                      Trusted community<\/td>\nOracle Cloud Infrastructure blog: https:\/\/blogs.oracle.com\/cloud-infrastructure\/<\/td>\nPractical announcements and implementation guidance (validate against docs)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n
                                                                                                                                                      Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nCI\/CD, containers, cloud DevOps practices (verify OCI coverage)<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      ScmGalaxy.com<\/td>\nBeginners to intermediate DevOps learners<\/td>\nSCM, DevOps tooling, foundational practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      CLoudOpsNow.in<\/td>\nCloud operations teams<\/td>\nCloud ops, monitoring, automation, operations practices<\/td>\nCheck website<\/td>\nhttps:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                      SreSchool.com<\/td>\nSREs, reliability engineers<\/td>\nSRE principles, incident response, observability<\/td>\nCheck website<\/td>\nhttps:\/\/sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      AiOpsSchool.com<\/td>\nOps teams adopting AIOps<\/td>\nAIOps concepts, automation, event correlation<\/td>\nCheck website<\/td>\nhttps:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n
                                                                                                                                                      Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify offerings)<\/td>\nEngineers seeking guided training<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                      devopstrainer.in<\/td>\nDevOps training services (verify OCI coverage)<\/td>\nDevOps beginners to advanced<\/td>\nhttps:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                      devopsfreelancer.com<\/td>\nFreelance DevOps help\/training (verify scope)<\/td>\nTeams needing short-term expertise<\/td>\nhttps:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      devopssupport.in<\/td>\nDevOps support and guidance (verify services)<\/td>\nOps teams needing practical help<\/td>\nhttps:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n
                                                                                                                                                      Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      cotocus.com<\/td>\nCloud\/DevOps consulting (verify portfolio)<\/td>\nArchitecture, migrations, CI\/CD, ops<\/td>\nOCI container platform setup, registry governance model, pipeline hardening<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      DevOpsSchool.com<\/td>\nDevOps consulting and enablement<\/td>\nTraining + delivery support<\/td>\nBuild-to-deploy pipelines using Artifact Registry, OKE deployment patterns, IAM best practices<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                      DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify services)<\/td>\nDevOps transformation and automation<\/td>\nContainer standardization, secret management, rollout strategies<\/td>\nhttps:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                      What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Docker fundamentals: images, layers, tags, registries<\/li>\n
                                                                                                                                                      • Basic OCI concepts: compartments, VCNs, IAM users\/groups\/policies<\/li>\n
                                                                                                                                                      • Compute basics: VM provisioning, SSH, firewall\/security lists<\/li>\n
                                                                                                                                                      • CI fundamentals: build\/test\/publish steps<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • OCI DevOps pipelines (build and deploy)<\/li>\n
                                                                                                                                                        • OKE (Kubernetes) production operations<\/li>\n
                                                                                                                                                        • Secrets management with OCI Vault<\/li>\n
                                                                                                                                                        • Supply chain security: digest pinning, provenance, signing (depending on toolchain support)<\/li>\n
                                                                                                                                                        • Observability: logging\/metrics for deployment pipelines and runtime<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • DevOps Engineer<\/li>\n
                                                                                                                                                          • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                          • Cloud Engineer (Oracle Cloud)<\/li>\n
                                                                                                                                                          • Platform Engineer<\/li>\n
                                                                                                                                                          • Kubernetes Administrator\/Engineer<\/li>\n
                                                                                                                                                          • Security Engineer (cloud application security)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                            Oracle\u2019s certification offerings change over time. Look for:\n– OCI Architect\/Developer\/DevOps-related certifications on Oracle University (verify current certification titles and whether Artifact Registry is covered).<\/p>\n\n\n\n
                                                                                                                                                            Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Build a CI pipeline that pushes versioned images to Artifact Registry and deploys to a Compute VM.<\/li>\n
                                                                                                                                                            • Create an OKE deployment that pulls from a private repo using imagePullSecrets.<\/li>\n
                                                                                                                                                            • Implement an image retention cleanup script using OCI CLI\/API (verify supported endpoints).<\/li>\n
                                                                                                                                                            • Design dev\/test\/prod compartment separation with least-privilege IAM policies.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Artifact<\/strong>: A build output used for deployment (container image, chart, package).<\/li>\n
                                                                                                                                                              • Artifact Registry<\/strong>: OCI managed service for storing\/distributing artifacts (commonly container images).<\/li>\n
                                                                                                                                                              • OCIR<\/strong>: OCI Registry; legacy\/older naming often still used in endpoints (ocir.io<\/code>).<\/li>\n
                                                                                                                                                              • Compartment<\/strong>: OCI logical container for resources and IAM access boundaries.<\/li>\n
                                                                                                                                                              • Tenancy namespace<\/strong>: Unique identifier used in OCI registry image names.<\/li>\n
                                                                                                                                                              • Repository (repo)<\/strong>: A named collection of artifacts\/images.<\/li>\n
                                                                                                                                                              • Tag<\/strong>: Human-readable label for an image version (:1.0.0<\/code>, :prod<\/code>).<\/li>\n
                                                                                                                                                              • Digest<\/strong>: Immutable cryptographic identifier for a specific image (@sha256:...<\/code>).<\/li>\n
                                                                                                                                                              • Auth token<\/strong>: Token used as a password for registry authentication.<\/li>\n
                                                                                                                                                              • OKE<\/strong>: Oracle Container Engine for Kubernetes.<\/li>\n
                                                                                                                                                              • Egress<\/strong>: Outbound network traffic from a VCN\/subnet to a service endpoint.<\/li>\n
                                                                                                                                                              • NAT gateway<\/strong>: OCI networking component enabling outbound internet access for private subnets.<\/li>\n
                                                                                                                                                              • Least privilege<\/strong>: Grant only the permissions required to perform a task.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                \n\n\n\n
                                                                                                                                                                23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                Oracle Cloud Artifact Registry<\/strong> is OCI\u2019s managed registry service for storing and distributing artifacts\u2014most commonly container images<\/strong> that are pulled and run by Compute<\/strong> instances and OKE<\/strong> clusters. It matters because reliable artifact storage is a prerequisite for consistent CI\/CD, safe rollouts, and scalable operations.<\/p>\n\n\n\n
                                                                                                                                                                Architecturally, treat Artifact Registry as a regional dependency for your deployments: keep artifacts close to runtime, separate environments by compartments, and deploy production by digest when possible. Cost is primarily driven by stored GB-month and image pull\/egress patterns\u2014so reduce image size, control retention, and avoid unnecessary cross-region pulls. Security hinges on IAM: lock down push access to production repositories, protect auth tokens, and use audit logs for governance.<\/p>\n\n\n\n
                                                                                                                                                                Next step: integrate Artifact Registry with an OCI DevOps build\/deploy pipeline or an OKE cluster pull workflow, and formalize your tag\/digest promotion strategy.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                Compute<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,62],"tags":[],"class_list":["post-865","post","type-post","status-publish","format-standard","hentry","category-compute","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=865"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/865\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}